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(54) On-line restoration of redundancy information in a redundant array system 

(57) There is disclosed a method for on-line restora- 
tion in a redundant array of storage units of the type 
having means for providing a signal that a data block 
therein has not been successfully written to and is 
potentially corrupted. A plurality J otrlpes each contain 
a plurality of data blocks and an associated redundancy 
block After one of the blocks in one stripe has been 
detected to be potentially corrupted, a valid data block 
from a data modification operation is temporarily stored, 
all the uncorrupted blocks are accessed, a redundancy 
block is- computed from the access blocks and tempo- 
rarily stored block, and the redundancy block and valid 
data block are stored in the stripe. 
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Description 
" BACKGROUND OF THE INVENTION 

1 . Field of the Invention 

This invention relates to computer system data stor- 
age, and more particularly to methods for on-line resto- 
ration of parity information in a redundant array storage 
system. 

2. Description of Related Art 

Atypical data processing system generally involves 
one or more storage units which are connected to a 
Central Processor Unit (CPU) either directly or through 
a control unit and a channel. The function of the storage 
units is to store data and programs which the CPU uses 
in performing particular data processing tasks. 

Various type of storage units are used in current 

one or more large capacity tape units and/or disk drives 
(magnetic, optical, or semiconductor) connected to the 
system through respective control units for storing data. 

However, a problem exists if one of the large capac- 
ity storage units fails such that information contained in 
: i.t j-nt is ;.o iuiyor ..iva..u>: * tne system. Generally, 
f;ucn i failure will srv..: divn tr& entire computer sys- 
tem. 

The prior art has suggested several ways of solving 
the problem of providing reliable data storage. In sys- 
tems where records are relatively small, it is possible to 
use error correcting codes which generate ECC syn- 
drome bits that are appended to each data record within 
a storage unit. With such codes, it is possible to correct 
a small amount of data that may be read erroneously. 
However, such codes are generally not suitable for cor- 
recting or recreating long records which are in error, and 
provide no remedy at all if a complete storage unit fails. 
Therefore, a need exists for providing data reliability 
external to individual storage units. 

Other approaches to such "external" reliability have 
been described in the art. A research group at the Uni- 
versity of California, Berkeley, in a paper entitled "A 
Case for Redundant Arrays of Inexpensive Disks 
(RAID)", Patterson, et a/., Proc. ACM SIGMOD, June 
1988, has catalogued a number of different approaches 
for providing such reliability when using disk drives as 
storage units. Arrays of disk drives are characterized in 
one of five architectures, under the acronym "RAID" (for 
Redundant Arrays of Inexpensive Disks). 

A RAID 1 architecture involves providing a dupli- 
cate set of "mirror" storage units and keeping a dupli- 
cate copy of all data on each pair of storage units. While 
such a solution solves the reliability problem, it doubles 
the cost of storage. A number of implementations of 
RAID 1 architectures have been made, in particular by 
Tandem Corporation. 



A RAID 2 architecture stores each bit of each word 
of data, plus Error Detection and Correction (EDC) bits 
for each word, on separate disk drives (this is also 
known as "bit stripping"). For example, U.S. Patent No. 

5 4,722,085 to Flora et al. discloses a disk drive memory 
using a plurality of relatively small, independently oper- 
ating disk subsystems to function as a large, high 
capacity disk drive having an unusually high fault toler- 
ance and a very high data transfer bandwidth. A data 

w organizer adds 7 EDC bits (determined using the well- 
known Hamming code) to each 32-bit data word to pro- 
vide error detection and error correction capability. The 
resultant 39-bit word is written, on bit per disk drive, on 
to 39 disk drives. If one of the 39 disk drives fails, the 

15 remaining 38 bits of each stored 39-bit word can be 
used to reconstruct each 32-bit data word on a word-by- 
word basis as each data word is read from the disk 
drives, thereby obtaining fault tolerance. 

An obvious drawback of such a system is the large 

20 number of disk drives required for a minimum system 
[r/<\ aMif ".i ... • . 

relatively high ratio of drives required to store the EDC 
bits (7 drives out of 39). A further limitation of a RAID 2 
disk drive memory system is that the individual disk 

25 actuators are operated in unison to write each data 
block, the bits of which are distributed over all of the disk 
d.v,£5. I ~>£ ivj •r.M'it .iC.:" - i. J: ■ '.i 

wkith. since e'ich individual disk ?r:*r;:;VT '. ; \ "'ock 
of data, the net effect being that the entire ciccK is avail- 

30 able to the computer system much faster than if a single 
drive were accessing the block. This is advantageous 
for large data blocks. However, this arrangement also 
effectively provides only a single read/write head actua- 
tor for the entire storage unit. This adversely affects the 

35 random access performance of the drive array when 
data files are small, since only one d^ta fifp rt a t : ^fr can 
be accessed by the "single" actuator. Thus, RAID 2 sys- 
tems are generally not considered to be suitable for 
computer systems designed for On-Line Transaction 

40 Processing (OLTP), such as in banking, financial, and 
reservation systems, where a large number of random 
accesses to many small data files comprises the bulk of 
data storage and transfer operations. 

A RAID 3 architecture is based on the concept that 

45 each disk drive storage unit has Internal means for 
detecting a fault or data error. Therefore, it is not neces- 
sary to store extra information to detect the location of 
an error; a simpler form of parity-based error correction 
can thus be used. In this approach, the contents of all 

so storage units subject to failure are "Exclusive OR'd" 
(XOR'd) to generate parity information. The resulting 
parity information is stored in a single redundant stor- 
age unit. H a storage unit fails, the data on that unit can 
be reconstructed on to a replacement storage unit by 

55 XOR'ing the data from the remaining storage units with 
the parity information. Such an arrangement has the 
advantage over the mirrored disk RAID 1 architecture in 
that only one additional storage unit is required for "N" 
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storage units. A further aspect of the RAID 3 architec- 
ture is that the disk drives are operated in a coupled 
«» manner, similar to a RAID 2 system, and a single disk 
drive is designated as the parity unit. 

One implementation of a RAID 3 architecture is the 5 
Micropolls Corporation Parallel Drive Array, Model 1804 
SCSI, that uses four parallel, synchronized disk drives 
and one redundant parity drive. The failure of one of the 
four data disk drives can be remedied by the use of the 
parity bits stored on the parity disk drive. Another exam- 
ple of a RAID 3 system is described in US. Patent No. 
4,092,732 to Ouchl. 

A RAID 3 disk drive memory system has a much 
lower ratio of redundancy units to data units than a 
RAID 2 system. However, a RAID 3 system has the 
same performance limitation as a RAID 2 system, in 
that the individual disk actuators are coupled, operating 
in unison. This adversely affects the random access 
performance of the drive array when data files are small, 
since only one data file at a time can be accessed by the 

not considered io be suitable for computer systems 
designed for OLTP purposes. 

A RAID 4 architecture uses the same parity error 
correction concept of the RAID 3 architecture, but 

improves on the performance of a RAID 3 system wi'h 

the operation t:f "mIjv :1um rJiSK ririve actuator:- 
reading and wilting a largei minimum amount ci data 
(typically, a disk sector) to each disk (this is also known 
as block stripping). A further aspect of the RAID 4 archi- 
tecture is that a single storage unit is designated as the 
parity unit. 

A limitation of a RAID 4 system is that Writing a 
data block on any of the independently operating data 
storage units also requires writing a new parity bloc^ m 
the parity unit. The parity information stored on the par- 
ity unit must be read and XOR'd with the old data (to 
"remove" the information content of the old data), and 
the resulting sum must then be XOR'd with the new data 
(to provide new parity information). Both the data and 
the parity records then must be rewritten to the disk 
drives. This process is commonly referred to as a 
"Read-Modify-Write" sequence. 

Thus, a Read and a Write on the single parity unit 
occurs each time a record is changed on any of the data 
storage units covered by the parity record on the parity 
unit. The parity unit becomes a bottle-neck to data writ- 
ing operations since the number of changes to records 
which can be made per unit of time is a function of the 
access rate of the parity unit, as opposed to the faster 
access rate provided by parallel operation of the multi- 
ple data storage units. Because of this limitation, a 
RAID 4 system is generally not considered to be suita- 
ble for computer systems designed for OLTP purposes. 
Indeed, it appears that a RAID 4 system has not been 
implemented for any commercial purpose. 

A RAID 5 architecture uses the same parity error 



correction concept of the RAID 4 architecture and inde- 
pendent actuators, but improves on the writing perform- 
ance of a RAID 4 system by distributing the data and 
parity information across all of the available disk drives. 
Typically, "N + 1 " storage units in a set (also known as a 
"redundancy group") are divided into a plurality of 
equally sized address areas referred to as blocks. Each 
storage unit generally contains the same number of 
blocks. Blocks from each storage unit in a redundancy 
group having the same unit address ranges are referred 
to as "stripes". Each stripe has N blocks of data, plus 
one parity block on one storage unit containing parity for 
the remainder of the stripe. Further stripes each have a 
parity block, the parity blocks being distributed on differ- 
ent storage units. Parity updating activity associated 
with every modification of data in a redundancy group is 
therefore distributed over the different storage units. No 
single unit is burdened with all of the parity update activ- 
ity. 

For example, in a RAID 5 system comprising 5 disk 

... . ...... t , . > ...... . . . . , „ -.V ■ 

may be written to the fifth drive; the parity information for 
the second stripe of blocks may be written to the fourth 
drive; the parity information for the third stripe of block 
may be written to the third drive, etc. The partly block for 

succeeding stripes Ivpicallv "processes" around the 

.o'. jr. /<.." •' : • . , ;. . ; 
may he us or!). 

Thus, no single di'jk dnve is used toi sioiing the 
parity information, and the bottleneck of the RAID 4 
architecture is eliminated. An example of a RAID 5 sys- 
tem is described in US. Patent No. 4,761 ,765 to Clark et 
al. 

As in a RAID 4 system, a limitation of a RAID 5 sys- 
tem is that a change in a data block requires a Read- 
Modify- Write sequence ccmp ri c . ! ng twr> ^9?r' R^ci -"T 
Write operations: the old parity block and old data block 
must be read and XOR'd and the resulting sum must 
then be XOR'd with the new data. Both the data and the 
parity blocks then must be rewritten to the disk drives. 
While the two Read operations may be done in parallel, 
as can the two Write operations, modification of a block 
of data in a RAID 4 or a RAID 5 system still takes sub- 
stantially longer than the same operation on a conven- 
tional disk. A conventional disk does not require the 
preliminary Read operation, and thus does not have to 
wait for the disk drives to rotate back to the previous 
position in order to perform the Write operation. The 
rotational latency time alone can amount to about 60% 
of the time required for a typical data modification oper- 
ation. Further, two disk storage units are involved for the 
duration of each data modification operation, limiting the 
throughput of the system as a whole. 

Despite the Write performance penalty, RAID 5 
type systems have become increasingly popular, since 
they provide high data reliability with a low overhead 
cost for redundancy, good Read performance, and fair 
Write performance. 
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A RAID 5 architecture has particular utility in OLTP 
computer systems. Many OLTP systems must be high- 
« availability systems, meaning that complete failure of 
the system has a low-probability. High availability can be 
achieved by using high-reliability components, having a 5 
fault-tolerant design with a low mean-time-to-repair 
(MTTR), and designing for "staged" degradation, where 
the failure of a component may reduce system capabil- 
ity but without causing total system failure. 

Although a principal feature of a RAID system is 10 
fault-tolerance, such capability alone does not guaran- 
tee a high-availability system. If a storage unit fails, gen- 
eral system operation cannot continue until the failed 
storage unit is replaced and the information on it is 
restored. When a storage unit fails in a RAID architec- is 
ture, the art teaches that a replacement storage unit is 
substituted for the failed storage unit (either manually or 
electronically switched in from a set of one or more 
spares) and the "lost" data is reconstructed on the 
replacement storage unit by XOR'ing each parity block 20 

storage unit driven in the redundancy group. Such 
reconstruction assumes that the parity information is 
valid. 

However, data can be lost in situations not involving 25 
a failure of r storage unit. For example, if a temporary 

/. -* rr-vr 1:1 ur 
rrcurr. tc 1 ?t<;tac;e unit cJuriro a Write orer-it'nn. rh^re 
is no ussutance that the data 01 the con espousing par- 
ity information were properly written and valid. Since 30 
two I/O operations are required to update the data and 
its associated parity. It is difficult to determine which I/O 
operation was completed before the system termina- 
tion. Thus, the data that was being Written couid be cor- 
rupted. Further, if a storage unit were to totally fail after 35 
corruption o- seme of the parity information stored on 
other storage units the failed storage unit could not be 
fully reconstructed with good data. 

One method taught in the art for resolving this prob- 
lem is set forth in U.S. Patent No. 4,761 ,785 to Clark et 40 
al. This reference teaches using version numbers 
stored in each data block and corresponding parity 
block. When a Write operation for a data block is com- 
pleted, the version numbers in the data block and its 
corresponding parity block are equal. During recovery 45 
of a lost record, the version numbers are checked to 
ensure synchronization of the data blocks with the parity 
block. Forcing recovery without valid synchronization 
would produce unpredictable data. However, updating 
version numbers required a processing overhead so 
throughout normal operation, as well as slightly reduced 
capacity because of the need to store the version num- 
bers with each block. 

Reference is also made to EP-A-297507 which 
describes a redundant memory architecture in which a 55 
plurality of primary memory units are backed up by a 
single backup memory unit. The backup memory unit 
holds the checksum of all data held at common 



addresses in the primary memory units. If two or more 
memory units are concurrently updated with data at the 
same address, the update of the checksum at that 
address in the backup unit is developed serially. One 
problem with this is that the checksum stored at any par- 
ticular time may not accurately reflect the data stored in 
a particular memory unit. 

Another problem is that, if a failure occurs during 
memory access, the checksum for affected addresses 
can only validly be generated after new, valid data has 
been resubmitted to the affected storage unit. 

Therefore, a need exists for a simple method for 
ensuring that valid parity information in generated in a 
RAID system even in the event of a temporary "failure". 
It is also desirable to have a RAID system in which res- 
toration of such parity information can be conducted 
"on-line", while general system operation continues in a 
normal fashion. It is also desirable to have a RAID sys- 
tem in which restoration of such parity information can 
be conducted without requiring added processing over- 

The present invention provides such a method. 
Another such method is disclosed in our parent applica- 
tion No. 91310909.6. 

The present invention provides a method of restor- 
ing *'?!irt datR l r. p, e^nrpqe unit aflpr a Write failt«r» 

: tnn« "n-'M-, fi f n it;. <n!firnnt »ntOM'Lpii^n 
cpofciticn ot tht rpaunriant array system, and wkhuut 
requiring added processing during normal operation. 

According to one aspect of the invention there is 
provided a method for on-line restoration of a valid data 
block and an associated redundancy block in a redun- 
dani Lir«y of siwicyc units, said storage unito caJi 
being of the type having means for providing a signal 
thot a da*a Monk h?d not been succprrfully 'vrttr-n 1c 
said array and is potentially corrupted, being coupled to 
a controller, and having a plurality of stripes, each stripe 
containing a plurality of data blocks and an associated 
redundancy block, after one of said blocks in one of said 
stripes has been detected to have been potentially cor- 
rupted during a data modification operation, said 
method comprising: 

temporarily storing the valid data block from the 
data modification operation; and characterised by 
the steps of: 

accessing all of the uncorrupted data blocks in the 
stripe containing the potentially corrupted blocks; 
computing at least one redundancy block from the 
accessed blocks and the temporarily stored valid 
data block; and 

storing the computed at least one redundancy block 
and the valid data block in the stripe. 

According to another aspect of the invention there 
is provided a control system for on-line restoration of a 
valid data block and at least one associated redundancy 
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block after either of said blocks has been corrupted dur- 
ing a data modification operation in a redundant array of 
storage units, said storage units being of the type hav- 
ing data error detection means and having a plurality of 
stripes, each containing a plurality of data blocks and at 5 
least one associated redundancy block, said control 
system comprising: 

means for holding the valid data block from the data 
modification operation; characterised by: 10 
means for accessing all of the uncorrupted data 
blocks in the stripe containing the potentially cor- 
rupted blocks; 

means for computing at least one redundancy block 
from the accessed blocks and the held valid data 15 
block; and 

means for storing the computed at least one redun- 
dancy block and the valid data block in the stripe. 

The preferred method includes the following steps: 20 

(1) Resubmitting the interrupted Write operation to 
the CPU. 

(2) For the stripe that was being Written when the 
temporary failure occurred, computing a new 25 

rfviunrinncv h!o r ^ I'^in*"* nl' vfM'd dp.'r* hlonlr >n 

(3) Wilting ovc \hi ^-otentiaily ocnupteo ;-^:ur 
da/icy block with the recomputed redundancy 30 
block. 

(4) Writing over the potentially corrupted data block 
with the new data block 

The details of the preferred embodiments of the 35 
present invention sre set forth in the accompanying 
drawings and the description below. Once the details of 
the invention are known, numerous additional innova- 
tions and changes will become obvious to one skilled in 
the art. 40 

BRIEF DESCRIPTION OF THE DRAWINGS 

Figure 1 is a block diagram of a generalized RAID 
system in accordance with the present invention. 45 
Figure 2A is a diagram of a model RAID 5 system, 
showing an initial state. 

Figure 2B is a diagram of a model RAID 5 system, 
showing a failed data block on one storage unit. 
Figure 3 is a flowchart representing the restoration so 
process for a preferred embodiment of the present 
invention. 

Like reference numbers and designations in the 
drawings refer to like elements. 55 



DETAILED DESCRIPTION OF THE INVENTION 

Throughout this description, the preferred embodi- 
ment and examples shown should be considered as 
exemplars, rather than limitations on the method of the 
present invention. 

Background Information 

FIGURE 1 is block diagram of a generalized RAID 
system in accordance with the present invention. 
Shown are a CPU 1 coupled by a bus 2 to an array con- 
troller 3. The array controller 3 is coupled to each of the 

plurality of storage units S1-S5 (five being shown by 
way of example only) by an I/O bus (e.g., a SCSI bus). 
The array controller 3 preferably includes a separately 

programmable, multitasking processor (for example, the 
MIPS R3000 RISC processor, made by MIPS Corpora- 
tion of Sunnyvale, California) which can act independ- 
ently of the CPU 1 to control the storage units. The 

tasking computer program executed by the conti oiler 3. 

The storage units S1 -S5 can be grouped into one or 
more redundancy groups. In the illustrated examples 
described below, the redundancy group comprises all of 

■h~ ntora.rjA un ; *s. S1 -SS W r ;rr *p!'civ °. f oyn>pnr*ic^ 

'-.h"winy ?r ''r^-A ■?. r * ; •; 'y • 

five storage units, S1-L5 b iji roA A-r-I . ;r p 
Redundancy blocks are indicated by circled numbers, 
and are spread throughout the array. One bit "blocks" 
are shown for each storage unit in a stripe for simplicity. 
Each block could instead be any other unit of riro, such 
ci3 a byte, sector, or yioup jeuuts. 

In a modern RAID system, several Write operations 
can be "stacked", and thi«c s^-fii.-J ci r 'pr.s nay ^r- 
rupted when such Write operations are interrupted. For 
simplicity, the following description is directed to restor- 
ing a single stripe. However, it should be understood 
that the invention applies to the more general case of 
restoring a plurality of stripes after a temporary failure. 

Figure 2B shows the same RAID model as Figure 
2A, but with a temporary failure having occurred while 
Writing to stripe C (the x's representing corrupted data 
and/or redundancy blocks). Because of the failure, there 
is no assurance that the data from the CPU 1 or the cor- 
responding redundancy information were properly writ- 
ten and valid. Such a failure can occur, for example, 
from a power loss to storage unit S1 or to all of the stor- 
age units, or from a failure of the controller 3. 

After such a temporary failure has been detected 
and the cause of the failure rectified, described embod- 
iments of the present invention is used to properly 
restore the failed stripe. 

Figure 3 is a flowchart representing the restoration 
process for a second preferred embodiment of the 
present invention. 

For each affected stripe, the valid data block from 
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the interrupted Write operation that was being executed 
by the CPU 1 is resubmitted to the array controller 3 for 
«t storage (Step 40). For the stripe that was being Written 
when the temporary failure occurred (stripe C in Figure 
2A), a new redundancy block is computed using all valid 5 
data blocks in the stripe (excluding the potentially cor- 
rupted data block that was being Written before the fail- 
ure, as well as the redundancy block for the stripe. 

To compute the new redundancy block, the data 
blocks are Read from storage units S2, S4, and S5 for 10 
stripe C in the array (Step 30) and XOR'd (in the pre- 
ferred embodiment) with the new data block (Step 41). 
This first step creates a redundancy block that is valid 
for the actual values of the corresponding valid data 
blocks on all storage units and for the new data block. 15 

Thereafter, the new redundancy block is stored in 
the corresponding redundancy block location (S3 on 
stripe C) of the array, and the new data block is stored 
on the appropriate storage unit of the array (S1 on stripe 
C) (Step 43). After each affected stripe is corrected, the 20 

Again, the storage units involved in any restoration 
operation are preferably "locked" so that any concur- 
rently operation I/O tasks cannot affect the restoration 
process. 25 



Jndt' 't k.'ct c-ibuve, the f;c^siLii.i> 

exists that the CPU 1 cannot resubmit one or more jw 
Write requests that were outstanding at the time the 
array failed (e.g., because of some failure in the CPU 1). 
It is still necessary to assure that the redundancy data 
ui trie SiOfuy^j uritt^ .o u^uuuueiu vvith the vaiid i/oui 
data in the data blocks of each stripe that were not 35 
heing mccVird during ih^ 'c.ilurr. Otherwise, a subse- 
quent error cannot be corrected. Therefore, the redun- 
dancy block of each stripe affected by the failure is 
restored by reading each data block (including the cor- 
rupted data block) in the stripe, generating a new redun- 40 
dancy block from such data blocks, and storing the new 
redundancy block in its proper place in the stripe (i.e., 
essentially performing Steps 30, 31, and 32 described 
above). Preferably, such restoration is done on-line as a 
separate task while the array continues to function nor- 45 
mally at least with respect to stripes that were not 
affected by the failure. 

Although the above-described procedure assures 
that the redundancy block in each stripe affected by a 
temporary failure is restored, so that subsequent modi- so 
f ications to data blocks in the stripe are valid, it would be 
desirable to fully restore the data that was being written 
during the failure. Therefore, to provide greater reliabil- 
ity, the controller 3 for the RAID system of the present 
invention preferably includes a non-volatile storage 55 
device (e.g., battery powered RAM) as a data buffer for 
temporarily storing Write requests from the CPU 1 until 
each Write operation has completed. If a temporary fail- 



ure occurs as described above, the controller 3 can first 
attempt to obtain the Write data from the non-volatile 
storage device. If that action fails for any reason, the 
controller 3 can attempt to obtain the Write data from 
the CPU 1. 

Summary 

The invention thus provides a simple method for 
ensuring that valid redundancy information is generated 
in a RAID system even in the event of a temporary "fail- 
ure". Because of the looking of each affected storage 
unit during a restoration operation and implementation 
as a concurrent task, either method can be used on-line 
with insignificant interruption of normal operation of the 
redundant array system, and without requiring added 
processing during normal operation. 

A number of embodiments of the present invention 
have been described. Nevertheless, it will be under- 
stood that various modifications may be made without 

example, the present invention can be used with RAID 
3, RAID 4, or RAID 5 systems. Furthermore, an error- 
correction method in addition to or in lieu of the XOR- 
generated parity may be used for the necessary redun- 

•/ . 7 ■ \ 'iv-.ii VT4/°e ■!•/•■■.' ••<;« : "iv: 

^y^\ .v. iir.d tiled" d'.i3 L.tw. s -.»-o !'■ t! ^b^ne- 
me present invention. With the struciuie and method 
taught by that reference, the present invention can 
accommodate the loss of two storage units if both XOR 
and Read-Solomon (or any other system) redundancy 

invention is not to be limited by the specific illustrated 

r. "h'-dim^nt, but only by the ~cv: rf th» Kpp^rrieri 
claims. 

Claims 

1 . A method for on-line restoration of a valid data block 
and an associated redundancy block in a redundant 
array of storage units (S1-S5), said storage units 
each being of the type having means for providing a 
signal that a data block had not been successfully 
written to said array and is potentially corrupted, 
being coupled to a controller (3), and having a plu- 
rality of stripes (A - H), each stripe containing a plu- 
rality of data blocks and an associated redundancy 
block, after one of said blocks in one of said stripes 
has been detected to have been potentially cor- 
rupted during a data modification operation, said 
method comprising: 

temporarily storing the valid data block from the 
data modification operation (Step 40); and 
characterised by the steps of: 
accessing all of the uncorrupted blocks (Step 
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41); 

computing at least one redundancy block from 
the accessed blocks and the temporarily stored 
valid data block (Step 42); and 
storing the computed at least one redundancy 
block and the valid data block in the stripe 
(Step 43). 

2. The method of claim 1 further characterized in that 
at least one redundancy block in each stripe con- 
tains parity information, and the step of computing 
the at least one redundancy block is characterized 
by exclusively-OR'ing the accessed blocks with the 
temporarily stored valid data block. 

3. The method of claim 1 further characterized by the 

steps being performed as a task concurrently with 
other input/output tasks. 

4. The method of claim 1 further characterized by 
ing the restoration pi ucess. 

5. The method of claim 1 further characterized by stor- 
ing each data modification operation submitted to 

fho rp("fn'"»Ho'?' J- ^nr* <<r-.'n* : tr> c/^r^r"* Hf"w»im 



8. The control system of claim 6 further characterized 
by means for performing the restoration process as 
a task concurrently with other input/output tasks. 

5 9. The control system of claim 6 further characterized 
by means for locking each block being read or mod- 
ified being locked during the restoration process. 

10. The control system of claim 6 further characterized 
10 by means for storing each data modification opera- 
tion submitted to the redundant array in a non-vola- 
tile storage device until the data modification 
operation is completed. 

15 



P0 



25 



6. A cor.tio 1 eye**. \ . »;v . ; lS:-W< :.. ? "-. 

data block and at !casi one associated redundancy 30 
block after either of said blocks has been corrupted 
during a data modification operation in a redundant 
array of storage uni's 'S1-SF). said stornge units 

and having a plurality of stripes (A - H), each con- 35 

laining a plu?r.!itj r < Llv.tr. hi; ks C;:*d r.t least p-^.c 
associated redundancy block, said control system 
comprising: 

means (1 or 3) for holding the valid data block 40 
from the data modification operation; charac- 
terised by: 

means for accessing all of the uncorrupted 
data blocks in the stripe containing the poten- 
tially corrupted blocks; 45 
means for computing at least one redundancy 
block from the accessed blocks and the held 
valid data block; and 

means for storing the computed at least one 
redundancy block and the valid data block in so 
the stripe. 

7. The control system of claim 6 further characterized 
in that at least one redundancy block in each stripe 
contains parity information, and the means for com- 55 
puting the at least one redundancy block is charac- 
terized by means for exclusively-OR'ing the 
accessed blocks with the held valid data block. 
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(54) On-line restoration of redundancy information in a redundant array system 



(57; '< -.ere- i& disclosed a method forof. \'r.v restnici- 
tion in a redundant array of storage units cf the type 
having means for providing a signal that a data block 
therein has not been successfully written io and is 
potentially corrupted. A plurality of stripes each contain 
a plurality of data blocks and an associated redundancy 
block. After one of the blocks in one stripe has been 
detected to be potentially corrupted, a valid data block 
from a data modification operation is temporarily stored, 
all the uncorrupted blocks are accessed, a redundancy 
block is computed from the access blocks and tempo- 
rarily stored block, and the redundancy block and valid 
data block are stored in the stripe. 
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